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Linearization is the procedure of rewriting a process term into a linear form, which consist only of 
basic operators of the process language. This procedure is interesting both from a theoretical and 
a practical point of view. In particular, a linearization algorithm is needed for the Compositional 
Interchange Format (CIF), an automaton based modeling language. 

The problem of devising efficient linearization algorithms is not trivial, and has been already 
addressed in literature. However, the linearization algorithms obtained are the result of an inventive 
process, and the proof of correctness comes as an afterthought. Furthermore, the semantic specifica- 
tion of the language does not play an important role on the design of the algorithm. 

In this work we present a method for obtaining an efficient linearization algorithm, through a 
step-wise refinement of the SOS rules of CIF. As a result, we show how the semantic specifica- 
tion of the language can guide the implementation of such a procedure, yielding a simple proof of 
coiTectness. 



1 Introduction 



Linearization is the procedure of rewriting a process term into a linear form, which consist only of basic 
operators of a process language lfT0l l4l[T5l. Linearization is also referred to as elimination in ACP style 
process algebras [1]. 

From a theoretical perspective, linearization of process terms is an interesting result. It allows to get a 
better understanding about the expressiveness of the language constructs, since it shows that all its terms 
are reducible to some normal form (which contains only a limited set of operators of the language). Also, 
linearization is useful in proving properties about closed terms, since the number of cases that needs to 
be dealt with in a proof by structural induction becomes smaller. 

The Compositional Interchange Format (CIF) ||2l, is a language for modeling real-time, hybrid and 
embedded systems. CIF is developed to establish inter-operability of a wide range of tools by means 
of model transformations to and from the CIF. As such it plays a central role in the European projects 
Multiform lEl, HYCON [9|, C4C |5|, and HYCON 2 |8|. CIF has a formal semantics 0, which is 
defined in terms of Structured Operational Semantics Rules (SOS) in the style of Plotkin |[T4l . 

Besides its theoretical importance, linearization of CIF models eliminates operators, such as urgency, 
that cannot be handled in other languages. Since CIF is meant to be used as an interchange format, the 
elimination of the operators broadens the set of models that can be translated to other languages. For the 
hierarchical extension of CIF Q, hCIF, linearization makes the elimination of hierarchy possible, and 
thus, all the tools available for CIF become available for use with hCIF models as well. 

It is our goal to build a linearization algorithm for CIF, which results in an efficient representation 
of the original model, and such that all the operators of the language, such as parallel composition or 
synchronization are eliminated. The problem of efficient linearization has been already studied in lit- 
erature lITSl m [TOl for process-algebraic languages for describing and analyzing discrete-event systems 
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and hybrid systems. However, in the previous cases, the linearization algorithm is the result of an inven- 
tive process, and the proof of correctness comes as an afterthought. The semantic specification of the 
language does not play an important role on the design of the algorithm. 

Previously, we studied the problem of implementing a simulator from the SOS specification of 
CIF (131 . The semantics of CIF is defined in terms of SOS rules, which induce a hybrid transition 
system, where each state contains a CIF term followed by a valuation (assignment of values to vari- 
ables). This kind of semantics, even though useful for specification purposes, was not suitable for the 
implementation of a simulator (interpreter) for the language. This problem was solved by giving a set of 
SOS rules, called symbolic rules, which induced transition systems that do not contain the valuation part. 
It was also noted that the symbolic transition system induced by these rules is finite, and it resembles a 
(CIF) automaton. Thus, the symbolic SOS rules for CIF offer a straightforward algorithm for linearizing 
CIF models. However, the resulting automaton has a size that may be exponential in the size of the input 
model. 

In this work we study the possibility of reusing the existing results on efficient linearization algo- 
rithms for obtaining a linear form of CIF from SOS rules. The idea is to give a more concrete version of 
the symbolic SOS rules of CIF (which is in turn a concrete version of the SOS rules with data), such that 
the transition system they induce can be translated to an automaton whose size does not grow exponen- 
tially as the result of interleaving actions (for synchronizing action the growth is still exponential, but in 
practice this is not a serious limitation since synchronization takes place only among a limited number 
of components). 

As a result, we show a linearization procedure, which is obtained from the SOS specification of the 
language. In this way, the design of the algorithm requires less invention steps, reducing the opportunities 
to introduce mistakes, and at the same time it yields a simple proof of correctness. 

2 Setting the Scene 

For the discussion presented here, we consider a simplified version of CIF, which is untimed and contains 
only automata, a parallel composition operator, and a synchronizing action operator. This helps to keep 
the focus on the ideas, without distracting the reader with the complexity of CIfQ The techniques and 
results presented here can be easily extended to the setting of timed and hybrid systems, since we handle 
concepts such as invariants and time-can-progress conditions in a symbolic manner. 

We begin by defining automata and the terms of our language. Throughout this work, notation ^ 
is used to refer to a set of predicates, ^ is a set of variables, £/ is a. set of actions, z is the silent action 
(T ^ ={/), and = ^/U {t}. 

Definition 1 (Automaton) An automaton is a tuple (y,init,inv,£',act5), where V C ^ is a set of lo- 
cations, init ^ V ^ ^ is the initial predicate function, inv £ V ^ ^ is the invariant function, E C 
V X .0^ X ^ xV is the set of edges, and actj C i^^^ is a set of synchronizing actions. 

Figure [T] presents a model of a railroad gate. It has two modes of operation (locations), closed and 
opened, denoted C and O respectively. Its initial predicate function associates the condition wq =[] to 
location C (represented graphically with an incoming arrow without source location), and the predicate 
false to location O (represented by the absence of such an arrow). Here wq is the waiting queue that 
contains the id's of the trains waiting to pass through the gate, [ ] is the empty list, and we denote lists by 



This language contains over 30 deduction rules 
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writing their elements between brackets, and separated by commas. Location C has « = as invariant, 
where n is the numbers of trains crossing the gate, and location O has invariant n < I. The automaton 
synchronizes with other components in actions rq, go, and out. 

The automaton has four edges. Two edges {C,rq,wq^ = wq-H- [id^],C), and {0,rq,wq^ = wq + 
+ [id^],0), which are used to enqueue requests from the trains that want to pass the gate. Given two 
sequences xs and ys, xs -H- ys denotes their concatenation. The predicate wq^ = wq-{{- [id^] expresses 
that the new value of the waiting queue after performing action rq will be the old waiting queue (wq) 
extended with the id of the train that request access (this id is contained in variable id^). Graphically 
these edges are represented by two self loops in locations C and O, labeled rq,wq^ = wq-{\- [id^]. The 
gate can make a transition from the closed state to the opened state, by issuing a go action, which sends 
the id at the front of the waiting queue using variable p. 
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rq,wq^ 


= wq^ [/d+J 



Figure 1 : GIF model of a gate. 

In Figure [2] we present the model of a train, which will be run in parallel with the gate model. It 
has a parameter /, which represents the train's id. It has four locations: far (F), near (N), stopped (S), 
and passing (P). Location F is the only initial location. When the train approaches the gate it issues a 
request to pass the gate by sending its id though variable id. Once in the near location, it can only go to 
the passing state if variable p is updated to its id (this update is carried out by the gate, as we have seen 
above). Otherwise it makes a transition to the stopped state. When the train enters the gate it increments 
variable n, and it decrements it upon departure. 

These models can be composed in parallel using the parallel composition operator, denoted as ||. 
Actions in GIF are not synchronizing by default. Thus in the parallel composition 

Train{0) \\ Train{l) 

the actions of the two trains will be interleaved. 

We want to put the parallel composition of the two trains in parallel with the gate automaton, in such 
a way that the trains synchronize with the actions rq, go, and out of the gate. This can be achieved using 
the synchronizing action operator, denoted as y^. Informally, composition 7a (p) behaves as composition 
p, except that all the actions of the set A are made synchronizing in p. Below we explain this. Using 
these operators, we can express train gate model in GIF as follows: 

7{rq,go,out}{Train{0) \\ Train{l)) \\ Gate (1) 
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Train{i) 




Figure 2: CIF model of a train. 



As a consequence of the use of the synchronizing action operator in ([T]), action / G {rq,go,out} in 
Trainij), j E {0, 1}, will synchronize with action / in the gate. Actions in the set {rq,go,out} sue in- 
terleaved in the parallel compositions of the trains (they do not synchronize) since the scope operator 
only make actions synchronizing in the outer scope. For more details see the rules of and their explana- 
tion Tabled 

Formally, the set of all CIF compositions is defined as follows: 

Definition 2 (Compositions) The set of all compositions is defined through the following abstract 
grammar: ^ a \ ^ W'lo \ Ya{^), where a is an automaton and A C s/. 

In the next section we present the formal semantics of CIF compositions, both its explicit version 
and its symbolic counterpart. 

2.1 Explicit and Symbolic Semantics of CIF 

The semantics of CIF is defined in terms of hybrid transition systems |[6l . In the context of the present 
work, we restrict our attention to ordinary transition systems (thus omitting time transitions), extended 
with environment transitions (see below). 

The labeled transition systems we are considering have states of the form {p,g). Here € and 
a G £ is a valuation, where L=Y^A, and A denotes a set of values. The valuation records the values 
of the model variables at a certain moment. There are two types of transitions in these labeled transition 
systems. Action transitions, of the form 

model the execution of an action a by composition p in an initial valuation (j, which changes composition 
p into p' and results in a new valuation a'. Label is a boolean that indicates whether action a is 
synchronizing. Environment transitions, of the form 

{p,a) --^ ip',o') 
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model the fact that the initial conditions and invariants of p (p' respectively) are satisfied in a (a'), and 
A is the set of synchronizing actions of p and p'. Environment transitions are used to obtain the state 
changes allowed by a model in a parallel composition context. 

The transition system associated to a composition can be obtained by means of SOS rules. Below we 
present the explicit rules, where we have omitted the symmetric version of the parallel composition rule. 
Given a valuation a, we define a'+ = v) | {x,v) G a}. We use notation a to refer to the automaton 
(V,init,inv,£',act5), and a[x] to refer to (V,id.v,inv,£',act5), where id;i(H') = w = x. Throughout this 
work, FY^p) is the set of free variables of p. 

(v,a,r,v') G £',CJ 1= init(v) Ainv(v), ^ , ■ x „ • ^ ^ 

. / ,s , , , V G V.a = init(v) Amv(v), 



(Vx :: x+ ^ FV(r) o{x) = a'(x)) 
(a, a) ^ (a[v'],a' 



a' 1= inv(v) 



^^ieactc 1 (a,a) --i (a[v],a') 



{p,o) ^^ip',a'),{q,o) ^^{q',a') ^ {p,a) ^ {p' ,o'),{q,o) --^ {q',o'),a^A ^ 
{p II q, O) {p' II q', O') {p II q, o) ^ {p' \\ q\ o') 

{p, a) --^ {p\ a'),{q, g) {q', a') ^ {p,a) {p',a') 



{p II q,af--7 ip' II q',a') (7a (p), a) i7Aip'),o') 

A' 

{p,a)-^ {p',a') 



AUA' 

(7a (p), a) {YAip'),o') 



Table 1 : Explicit rules for GIF 

Rule[T]states that an action can be triggered by an automaton, if there is an edge {v,a,r,v') such that 
the initial predicate and the invariant are satisfied in the initial valuation a, and it is possible to find a new 
valuation a' in which the invariant and the reset predicate are satisfied. The only variables that change 
in o' w.r.t. a are those free variables of r that are of the form x'^. Rule |2] states that an automaton is 
consistent in initial valuation a if the initial predicate and invariant are satisfied in a, and the valuation 
can be changed to o' only if the invariant is preserved. Rule|3]expresses that an action a can be executed 
synchronously if it is marked as synchronizing in both components. The interleaving behavior is modeled 
in Rule|4j where an action a can be executed in p if it is not synchronizing in q. In Rule [6] an action a is 
marked as synchronizing if a G A, or a is synchronizing in p. The environment rule for the synchronizing 
action operator (Rule [7]) adds A to the set of synchronizing actions of p. 

As noted in |[ T3 l. the explicit rules are not suitable for implementation purposes. These rules often 
induce infinitely branching transition systems, and as a consequence it is not possible to obtain the set of 
possible successor states. In particular, the labels of the hybrid transition systems contain trajectories, 
of an dense domain, which are defined in the rules through computations over these dense sets. Another 
problem is that the valuations specify implicit constraints, such as "variables owned by a certain automa- 
ton cannot be changed in a parallel composition", which require to compute operations on infinite sets 
of valuations to get the set of possible successor states. 
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The solution to the problem explained above was to obtain a set of symbolic rules Q from the explicit 
SOS specification. These symbolic rules represent the possible state changes by means of predicates, and 
thus, the state change caused by an action is visible on the arrows of the transitions. The symbolic rules 
for the language considered in this paper are shown in Table |2] 

{v,a,ry)eE veV 



. . a,flGacts,init(v),inv(v),inv(v'),f- , , n\ / \ init(v),inv(v),acts 

(a) ^(a[v']) (a) (a[v]) 

a,tiue,Up,np,n' r„ a,tme,Ug,ng,n' n, a,bM„,n,,,n' r u^,n^A 

a,tme,UpAu^,npAng,n' An' rpAr' ,,,,,, , ,, v a,b,UpAUg,npAng,n' Ang,r 

{p II q) > {p II q) {p II q) ^ (p \\q) 

Up.UpAp . .. . . Uq,n^,A^ a,b,u,n,n' ,r , 

jp) --^ {p ),{q) --^ jq ) jp) > jp) ^3 

, ,, , UpAUgMpArigApUAg ,,,,,, / / w a.byaeA.u,n.n'.r . , 

{p II q) --^ {p II q ) {7a{p)) ^ > {7a{p )) 



(r-W) (7.(P')> 



Table 2: Symbolic rules for CIF 

The explicit and symbolic rules are related by the following soundness and completeness theorems. 
These theorems state how an explicit transition system can be reconstructed from its symbolic version, 
and vice-versa. 

Theorem 1 (Soundness of action transitions) For all p, p', a, b, u, n, n', r, a, and a' we have that if 
the following conditions hold: 

1. >{p') 

2. o \= u, <J \= n, o' 1= n', and o'^ U a |= r 

3. (ix :: x+ ^ FV{r) =^ a{x) = a'{x)) 

then, there is a explicit action transition {p, o) — > (/?', a'). 

Theorem 2 (Completeness of action transitions) For all p, p', a, b, a, and a' we have that if there is 
a explicit transition (p, o) — > {p', o') then there exists u, n, n' , and r such that the following conditions 
hold: 

1. {p)~ >{p') 

2. o \=u, o \= n, <j' 1= n', and <j'^ U a |= r 

3. (ix :: x+ ^ FV{r) =^ a{x) = a'{x)) 

Theorem 3 (Soundness of environment transitions) For all p, p', u, A, a, and a' we have that if the 
following conditions hold: 
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, , u,nA , ,, 

1. ip) ip') 

2. o \= u, <J \= n, o' 1= n 

then, there is a explicit environment transition (p, a) (/?', a'). 



Theorem 4 (Completeness of environment transitions) For all p, p', A, a, and a' we have that if there 

is an explicit transition {p,cj) {p' ,o') then there exists u, and n such that the following conditions 
hold: 

1. ip) ip') 

2. <J \= u, <J \= n, o' 1= n 

It is not hard to see that given a CIF composition, the symbolic rules induce & finite transition system. 
For the model of the train gate presented in Section[2| a part of its associated symbolic transition system 
is shown in Figure [3] (the whole transition system contains 16 states), where we use the convention that 
for all X, y, z- 

{x,y,z) = r{rq,go,out}{Train{0)[x] \\ Train{l)[y]) \\ Gate[z] 

In this transition system, two problems can be noted. The size of the symbolic transition system grows 
exponentially as more trains are added. This is the result of the interleaving actions that are executed 
between these models. Secondly, there is a great deal of redundant information. The invariants of 
the source and the target states are present not only in the labels of action transitions, but also in the 
environment transition of these states. Similarly, the initialization conditions are meaningful only for the 
initial environment transition. For the remaining environment transitions in the systems, the initialization 
predicate is always true. In the next section we show how to overcome these problems using a new kind 
of symbolic rules. 

3 Linear Transition Systems 

In this section we define a structure called linear transition system (LiTS), which contains all the infor- 
mation necessary to represent any arbitrary CIF composition, and that can be translated to an equivalent 
automaton. 

Consider the symbolic transition system of the train gate model. In Figure [3} we show a transition of 
the form: 

{N,F,C) > {P,F,0) 

The complete symbolic transition system also contains these transitions: 

{N,N,C) -0A»+=»+ 1 A lp+]=wq,n=OM< 1^ ^p^j^^g^ 

{N,S,C) g"-/-"=OAn^=n+lAw,^+[p^]=.,,n^0.n<l^ ^^^^^^^ 

These three transitions only differ in the second component of the symbolic state, that is, the location in 
which the second train is. However, this information is not relevant for computing the state change. If 
we replace the above transitions by a unique transition of the form: 

go,p+ =OAn+=n+ 1 AM^g++ [p+]=wq,n=0,n< 1^ 
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true, 

n = 



go, 

p+ =0A 



rq, ict = A 
wg+ = wq ^ \id^ 
n = 0,n = 



{N,F,C) 



n+ = « + 1 A 
wg+ -H- = wq, 
n = 0,n < 1 



true, 
n < 1 



{Y{rq,go,out}{Train{0) \\ Tram(l)) \\ Gate) 



wq = [ ] , n = 




{F,F,C) 



rq,id^ = OA 
wq^ = wq-\\- [W^] 
n = Q,n = 



rq, id^ = 1 A 




true, 
n < 1 



{F,N,C) 



go, 

p+ = lA 
n+ = « + 1 A 
wq+ ^f [/:>+] = wq, 
n = 0,n< 1 



{F,P,0) 



Figure 3: A pait of the symbolic transition system for the train gate controller 

then we can avoid the state explosion caused by the interleaving actions. Here the wild-card symbol _ 
can be read as "for any location". 

Furthermore, in Figure [3] we see that there is no need to replicate the entire structure in a given 
transition, since it suffices to keep track of the locations that change. 

From the observation above, we want a linear transition system where the states are sequences of 
locations, containing also wild-cards. These wild-cards are used to denote the fact that the location of a 
certain automaton does not change in the transition. Formally the states of the LiTS belong to the set 

(^x{_}r (2) 

where _ is the wild-card symbol, and A* is the set of all sequences whose elements are taken from the set 
A. An example of such state is the list [F, _, C] . 

The next thing to define is the transitions of the LiTS's, in such a way that the redundancy introduced 
by the STS's is eliminated. To accomplish this, we split action and environment transitions into several 
transitions, which are described next. 

Action Transitions They are of the form p |= {vs) — > (v^''), where p G is a composition, a £ £/x is 
an action label, and r G ^ is the update predicate associated to the action. 

Synclironizing Actions They are of the form p A, where p G is a composition, and AC £/ is the 
set of synchronizing actions of p. 

Initialization Transitions They are of the form p fs, where p £ ^ and fs G ^ ^)* is a list 
containing the initialization predicate function of each automaton in p. 
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Invariant Transitions They are of the form p -^fs, where p G is a composition, and fs G 
is a list containing the invariant function associated to each automaton in p. 

The reader may have expected initialization or invariant transitions of the form: 



inv 
VS^ p 



where vs is a list of locations, and p is a predicate. However this approach requires enumerating 
the state space explicitly to construct the relation. By using lists of functions we avoid this 
explicit construction. 

Wild-card Transitions They are of the form p xs, where G is a composition, and xs £ (_)* is a 
sequence of wild-cards whose size coincides with the number of automata that are composed in 
parallel in p. These transition are not needed for reconstructing the environment transitions, they 
are used in the linear SOS rules to model the fact that nothing changes in a component of a parallel 
composition, when the other component performs an action. 

In Table |3] we show some of the Unear SOS rules for CIF compositions. We have omitted the rules 
for synchronizing actions, initialization, and wild-card transitions since they are similar to the invariant 
transitions. 

The linear rules can be easily to obtained from the symbolic ones. For action rules, invariants and 
initialization predicates, and the synchronizing action label are simply omitted (since they can be ob- 
tained from other transitions). The linear rule for interleaving parallel composition is almost identical to 
the symbolic rule. The only differences are that the set A is obtained from a transition, and we use 
the wild-card transition to represent the fact that the locations of the other automaton are not relevant (at 
the symbolic level at least). A similar observation can be made for the rule for parallel composition. In 

sync 

this case since we do not have the synchronizing label, we reconstruct it from the transition. This 
label is equivalent to t? G A, thus a label true in both components is equivalent to a G Ap Ac? G Aq, which 
is in turn equivalent to a £ ApHAq. 



( V, init , inv , tcp , £■ , acts ) ^ [inv] 



inv ^ mv ^ 

15 P'^fip,q'^fSq 



P II q^fSp^fSq 



{v,a,r,v')eE p \= (vs) ^ {vs') ,q^^^ A,q _,a ^ A, 



(y,init, inv, tcp,£, acts) \= (M) ^ ([v']) p\\q\= {vs^ _) (v/-H- _) 



p 1= k^^p) — > v^pi^q F v^q) — > v^qi^p ^p^q ^ Aq,aeApr^Aq 

II ^ 1= {vSp 4f VSq) "'''"^'"y {ys'p 4f Vs'q) 



19 



p^fs p\= ivs) — > {vs ) 

■20 ' ^ ^ — 21 



jAipY^fs 7a(/^) 1= W ^ (v/) 



Table 3: Linear SOS rules for CIF compositions 
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If a composition p contains no synchronizing actions, then the size of its induced transition system 
is linear w.r.t. the size of p. However, the size of the LiTS also depends on the number of synchronizing 
actions. The following property gives the formal details. 

Property 1 (Size of the linear transition system) Let p be a CIF composition, such that it contains n 
automata Of, = ( V,- , init, , inv, , E , acts,), 0<i<n. Let a be the only synchronizing action in these automata. 
Then the number of transitions in the LiTS associated to p is given by: 

^ #{x \ {v,g,x,u,v') Ei Ax a} + Y[ #{x \ {v,g,x,u,v') Ei Ax = a} (3) 

0<i<n 0<i<n 

where #A is the number of elements in set A. 

In spite of the fact that the number in Q can be significantly large, in practice, communication 
among components is usually restricted to a few automata, and the number of edges of an automaton that 
contain a given synchronizing action a is small. 



3.1 Relating LiTS and STS 

In the same way symbolic transitions are related to explicit ones via soundness and completeness results, 
linear transitions have the same property w.r.t. symbolic transitions. 

The first two results state that a LiTS contains all the necessary information to reconstruct the envi- 
ronment transitions in the symbolic transition system and vice-versa. Here "leads to transitions" refers 
to the initialization, invariant, and synchronizing actions transitions in the LiTS. Given a composition p, 
which contains n atomic automata, and a sequence Is of n locations, p[ls] is the composition obtained 
by replacing the initial predicate function of the automaton by id/^ for <i < n, where Is.i is the 
element of sequence Is at position / (sequences are numbered starting from 0). locsof (;?) refers to the set 
of sequences Is, where #ls = n and Is.i is a location of the f'^ automaton of composition p {0 < i < n). 

Theorem 5 (Soundness of leads to transitions) For all p, is, fs, gs. A, u, and n we have that if the 
following conditions hold: 

L is £ locsof(/7) 

- ipred inv sync 
2- P ^ JS, p ^ gs, p ^ A 

3. u = y\ fs.i{is.i), and n = f\ gs.i{is.i) 

Q<i<#fs Q<i<#gs 

then there is a symbolic transition {p) {p[is]). 

Theorem 6 (Completeness of leads to Transitions) For all p, u, n. A, and p' we have that if there is an 

u.n.A 

environment transition {p) {p) then there are is, fs, gs, u, and n such that the following conditions 
hold: 

L is £ locsof(p) 

- ipred inv sync 
2- P ^ JS, p ^ gs, p ^ A 

3. u= l\ fs.i(is.i), and n = y/\ gs.i{is.i), p' = p[is\ 

0<i<#fs 0<i<#gs 



84 



Linearization Through SOS 



The soundness theorem for linear action transitions shows how a symbolic action transition can be 
obtained, using the leads to transitions as well. Functions C and >~ are. defined below, where x :xs is the 
list that results after appending the element x to the front of xs. 

Definition 3 (Sub-sequence and sequence overwriting) Function Q£ A* ^ A* ^9 is defined as fol- 
lows: 

[ ] □ X5' = true 

[x : xs) C (3^ : ys) = ((x = _) V (x = y)) Axs Qys 

Function y£ A* ^ A* ^ A* is defined as follows: 

[] )^ xs = xs 

^ { X : {xs >- ys) ifx^_ 
[x :xs)y [y:ys) = < 

[y : (xs >- ys) if x = _ 

Theorem 7 (Soundness of Linear Action Transitions) For all p, vs, a, r, vs', is, fs, gs, u, n, n, and A 

we have that if the following conditions hold: 

1. is £ locsof(p) 

I , , a,r I ipred inv sync 

2. p \= {vs} [VS }, p ^ JS, p ^ gs, p A 

3. u= f\ fs.i{is.i), and n = f\ gs.i{is.i), n' = f\ gs.i{{vs' >- is).i), vs ^ is, b = a £ A 

0<i<#fs 0<i<#gs Q<i<#gs 

then there is a symbolic transition: (p) {p[vs' >- is]). 

Theorem 8 (Completeness of Linear Action Transitions) For all p, p', a, b, u, n, n', and r we have 
that if there is a symbolic transition: 

{P) > {P > 

then there are vs, vs', is,fs, gs, and A such that the following conditions hold: 

1. is £ locsof(/7) 

I , , a,r I ipred inv sync 

2. p 1= {ys) — > (ys ), p ^ js, p^ gs, p ^ A 

3. u = y\ fs.i{is.i), and n = y/\ gs.i{is.i), n' = /\ gs.i[{vs >~ is).i), vs ^is, b = a £ A, 

0<i<#fs 0<i<#gs 0<i<#gs 

p' = p[vs' >~ is] 

These theorems can be proved using structural induction. The proofs are relatively simple, and are 
omitted due to space constraints. 



4 Obtaining a Linear Automaton from a LiTS 

Once a linear transition system is induced by the SOS rules, we need a way to obtain a linear automaton 
from it. In this section we describe the procedure, and we show that the generated automaton is stateless 
bisimilar lITTll to the composition that induced the transition system. Both from a theoretical and a 



D.E. Nadales Agut & M.A. Reniers 



85 



practical point of view this is an interesting result, which tells us that every composition can be reduced 
to an automaton (this is intuitively obvious for the language we present here, but it is not for CIF and its 
hierarchical extension). 

Formally, given an composition p and its associated LiTS M, we want to build an automaton 
such that p has the same behavior as ttp. The idea is to simulate the execution of M, using Up. To 
this end, we need to introduce a sequence of variables Is, which are used to represent the active state in 
M in a given execution. We call these variables location pointers [lOJ. Below, we give the definitiorj^ 
of the linearization function, which returns the automaton associated to a given composition and the 
location pointers used in it. The second component returned by the function is used later to formulate 
the correctness result. 

Definition 4 (Linearization Function) Let p be a CIF composition. Function L G — )• ("^ x ^* ) is 

defined as the least function that satisfies: 

^(p) = (({x},init,inv,£',act5),/5) 

where 

# J. ipred inv sync 

• p^ xs, wxs = n, p ^ js, p ^ gs, p ^ A 

• (V/ :: < / < « ^ Is.i i FV(p)), x^^ 

• init(x) = ( /\ /\ {ls.i = v^fs.i{v)))A{ /\ Is.i e dom{fs.i)) 

0<i<n vedom(fs.i) 0<i<n 

• inv(x)= /\ /\ {ls.i = v ^ gs.i{v)) 

0<i<n vedom{gs.i) 

• E = {{x,a,rA f\ Is.i = vs.iAls.i^ = vs\i,x) \ p \= {vs) {vs')} 

0<i <n 
vs.i 7^ _ 

In the above definition we introduce n free variables, which are used as location pointers, and we use 
a location x (which can be defined as the least location in ) as the unique location of the automaton. The 
initial predicate and invariant functions are conditional expressions, which ensure that the right predicate 
is chosen according to the values of the location pointers. In the definition of the init function, the second 
part of the conjunction forces the choice of an initial location (otherwise this predicate can be trivially 
satisfied). The set of edges is constructed from the action transition of the linear transition system. The 
reset mapping in the action transitions is extended with updates to the location pointers to keep track of 
the state in the linear transition system. 

The well-definedness of function L is a consequence of the finiteness of LiTSs. Given a composition 
p, such that L(p) = {ap,ls), we say that ttp is the linear automaton associated to it. 

For the train gate model, the linear automaton associated to it is shown in Figure |4j where the initial 
predicate and invariant functions are (once they are simplified): 

init(x) = (/() = f A/i =F M2=C Awq= []) 
inv(x) = {l2=C^n = 0)A{l2 = O^n<\) 



^Strictly speaking, function L is not uniquely determined, since it is possible to pick different location pointers. This can 
be avoided by defining a function that returns the least n fresh variables in a given composition (assuming variables are totally 
ordered). A similar observation can be done about location x. 
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Train Gate 



acts = {flTgo,out} 






= U A wq = wq -fr [lu \ ALq = 


Z7 A /+ AT A 1 A /+ 

r AIq = I\ a 12 = C a I2 = C 






stop,io 


= A' A /() = 








go,p^ 


= UAn = n-\- 1 A wq -tr [p 


1.1^ A 7 AT" A / I D A 7 

= A iQ = i\ A Iq = r AI2 = 


A 7 + 

C A 72 


= C 


go,P^ 


— V /\n — n-\- L /\ wq -tr [p 


1^,^ A / C A Pa/ 

— W(7 /\ to — >J '\ '() — r /\l2 — 


C /\ (2 


— c 


out, 


m_i_1a / Pa /"I" 17 A 1 - 

— n -\- 1 /\ Iq — r /\Iq — r /\ 12 - 


— U /\i2 — C 






rq, id^ 


— 1 A wq — wq -ft [lu J /\ / 1 — 


Z7A/+ AT A J /^A/+ 

-T /\ t J — iV A (2 — L- AI2 — C 






stop,l\ 


= NAl+=S 








go,P^ 


= \An+=n + \A wq+ 4f [p+' 


= wq Ah = N All = P Ah = 


CA/2^ 
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go,p^ 


= \An+=n + \A wq+ 4f [p+'_ 


= wq Ah = S All = P Ah = 


CAZ+ 


= 


out,n^ 


= n+lAh =PAl'l =F Ah -- 


= 0A/+ =C 







Figure 4: Linear version of the gateway model 



The next step is to prove that the linear version of a composition is indeed equivalent to it. If we 
consider the transition systems they induce, we find that these differ significantly among each other: they 
have different labels, invariants, etc. Thus if we want to prove equivalence at the LiTS level, we need a 
non-trivial definition of equivalence. 

A better strategy is to prove equivalence at the labeled transition level (using the explicit semantics). 
Therefore, we prove that p and its associated linear automaton are stateless bisimilar, after abstracting 
away the values of the program counters (or location pointers). The standard notion of strong bisimilar- 
ity ifTTIl is defined below. 

Definition 5 (Strong Bisimilarity for SOS) A symmetric relation R is a strong bisimulation relation if 
for all {p,q) € R, and for all a, £, p' , o' the following transfer conditions hold: 

1. ip,a) A ip',a') ^ (3^' :: {q,a) A {q' ,a') A{p' ,q') € R) 

2. {p,a) -U {p',a') {3q' :: {q,a) -U {q' ,a') A{p' ,q') G R) 

Two closed terms p and q are strongly bisimilar, denoted SOS |= p ^q, if {p,q) G Rfor some strong 
bisimulation relation R. 

Next, we present the SOS rules for the variable scope operator in Table |4] (the rules for environment 
transitions are similar and therefore omitted). In these rules we make use of the following notations: 
• Given two sequences xs and ys, such that #xs = #ys, {xs 1— )• ys} G ran(xs) — )• ran{ys) is a function 
defined as follows: 

{xs I—)- ys} = {{xs.i,ys.i) | < / < #xs} 
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• The notation above is overloaded to denote a similar function. We believe this keeps the notation 
concise and it does not bring confusion. Given a sequence xs and an element y, {xs i— )• S 
ran(xs) — )• {y} is a function defined as follows: 

{xs I— 7- 3^} = {{xs.i,y) I < / < #xs} 

• Symbol _L denotes the undefined value. 

{p, {xs ^ vs} yg)^ {p', {xs ^ vs'} y o') 
{\[w{xs^vs} ::p]\,a)^ {\[y{xs^vs'} ::p']|,a') 



■23 



{\[y{xs^vs} ::p]|,a) ^ {\[y{xs^vs'} ::p']\,(j') 
(|[v {xs^±}::p]\,a)^ (|[v {xs ^ vs'} a') 

Table 4: SOS rules for the variable scope operator 

Using the previously defined operator and the notion of stateless bisimilarity, we can enunciate the 
theorem which states that the linearization procedure is correct. 

Theorem 9 (Correctness of the Linearization) Let p be a composition, and L(/7) = (Wp, Is). Then we 
have: 

SOS p {Is ^ 1.] ap]\ 

Proof 1 It is possible to prove that the following relation: 

RH{p,h{ls^l.}::ap]\) \ {ap.ls) =Up)}^ 

{{p[is\,\[^j {Is ^ is] :: ap]\) \ {ap,ls) =Hp)M ^^ocsof{p)] (4) 

is a witness of the bisimulation. The proof uses the soundness and completeness results presented in 



Sections 2.1 and\3.1\ and it does not require the use of structural induction. 



5 Concluding Remarks 

We have presented linearization algorithm for a subset of CIF, which shows that every CIF composition 
can be reduced to an automaton. The linearization procedure was obtained in a stepwise manner from 
the SOS specification of this language. In this way, SOS rules are used not only to specify the behavior 
of CIF, but also as a specification formalism for performing semantic preserving manipulations on the 
syntactic elements of the language. 

The soundness and completeness results between the different transition systems give us a simple 
proof of correctness on the linearization procedure. The different levels in which a language is described 
(explicit, symbolic, and linear semantics) provide a convenient way to tackle specific problems. The 
explicit semantics is useful for achieving an abstract and succinct specification of the language. The 
symbolic semantics give us the means for specifying symbolic computations. Finally, the linear seman- 
tics yields an efficient representation of the state space associated to a given composition. 
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We conjecture the method presented here can be applied to any automaton based language. For 
process algebraic specification language it may not be suitable due to the presence of recursion. 

As future work, we plan to extension the linearization algorithm to the full CIF, and therefore, to 
a hybrid setting. Time-can-progress predicates and dynamic types can be extracted in the same way 
invariants were extracted in this work, and therefore we expect no problems in this regard. 
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